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Abstract. For large ranks, there is no good algorithm that decides whether 
a given lattice has an orthonormal basis. But when the lattice is given with 
enough symmetry, we can construct a provably deterministic polynomial-time 
algorithm to accomplish this, based on the work of Gentry and Szydlo. The 
techniques involve algorithmic algebraic number theory, analytic number the¬ 
ory, commutative algebra, and lattice basis reduction. 


1. Introduction 

Let G be a finite abelian group and let u £ G be a fixed element of order 
2. Define a G-lattice to be an integral lattice L with an action of G on L that 
preserves the inner product, such that u acts as —1. The standard G-lattice is the 
modified group ring Z(G) = Z[G]/(u + 1), equipped with a natural inner product; 
we refer to Sections O 0 and [G] for more precise definitions. Our main result reads 
as follows: 

Theorem 1.1. There is a deterministic polynomial-time algorithm that, given a 
finite abelian group G with an element u of order 2, and a G-lattice L, decides 
whether L and Z(G) are isomorphic as G-lattices, and if they are, exhibits such an 
isomorphism. 

We call a G-lattice L invertible if it is unimodular and there is a Z(G)-module 
M such that L <g> z (q) M and Z(G) are isomorphic as Z(G)-modules (see Definition 
19.41 and Theorem 111.11) . For example, the standard G-lattice is invertible. The 
following result is a consequence of Theorem 11.11 

Theorem 1.2. There is a deterministic polynomial-time algorithm that, given a 
finite abelian group G equipped with an element of order 2, and invertible G-lattices 
L and M, decides whether L and M are isomorphic as G-lattices, and if they are, 
exhibits such an isomorphism. 

Deciding whether two lattices are isomorphic is a notorious problem. Our results 
show that it admits a satisfactory solution if the lattices are equipped with sufficient 
structure. 

Our algorithms and runtime estimates draw upon an array of techniques from 
algorithmic algebraic number theory, commutative algebra, lattice basis reduction, 
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and analytic number theory. We develop techniques from commutative algebra that 
have not yet been fully exploited in the context of cryptology. 

An important ingredient to our algorithm is a powerful novel technique that was 
invented by C. Gentry and M. Szydlo in Section 7 of [4j. We recast their method in 
the language of commutative algebra, replacing the “polynomial chains” that they 
used to compute powers of ideals in certain rings by tensor powers of modules. A 
number of additional changes enabled us to obtain a deterministic polynomial-time 
algorithm, whereas the Gentry-Szydlo algorithm is at best probabilistic. 

The technique of Gentry and Szydlo has seen several applications in cryptogra¬ 
phy, as enumerated in [9]. By placing it in an algebraic framework, we have already 
been able to generalize the method significantly, replacing the rings Z[X]/ ( X n — 1) 
(with n an odd prime) used by Gentry and Szydlo by the larger class of modified 
group rings that we defined above, and further extensions appear to be possible. 
In addition, we hope that our reformulation will make it easier to understand the 
method and improve upon it. This should help to make it more widely applicable 
in a cryptographic context. 

1.1. Overview of algorithm proving Theorem 11.11 The algorithm starts by 
testing whether the given G-lattice L is invertible , which is a necessary condition for 
being isomorphic to the standard G-lattice. Invertibility is a concept with several 
attractive properties. For example, it is easy to test. Secondly, every invertible 
G-lattice has rank #G/2 and determinant 1, and therefore can be specified using 
a small number of bits (Proposition 13.41 below, and the way it is used to prove 
Theorem 114.51) . Thirdly, an invertible G-lattice L is isomorphic to the standard 
one if and only if there is a short element e £ L, that is, an element of length 1. 

Accordingly, most of the algorithm consists of looking for short elements in 
invertible G-lattices, or proving that none exists. The main tool for this is a fur¬ 
ther property of invertible G-lattices, which concerns multiplication. As the name 
suggests, any invertible G-lattice L has an inverse L, which is also an invertible 
G-lattice, and any two invertible G-lattices L and M can be multiplied using a 
tensor product operation, which yields again an invertible G-lattice. For example, 
the product of L and L is the standard G-lattice Z(G). 

No sequence of multiplications will ever give rise to coefficient blow-up since, as 
remarked above, every invertible G-lattice can be specified using a small number of 
bits. It suffices to take the simple precaution of performing a lattice basis reduction 
after every multiplication (as in Algorithm 115.111 . It is a striking consequence that 
even very high powers L r of L can be efficiently computed! 

Each short element e £ L gives rise to a short element e r £ L r , which may be 
thought of as the r-th power of e. If r is well-chosen (r = k(£), in the notation 
of Algorithm 119.11) . then e r will satisfy a congruence condition (modulo £), and if 
we take £ large enough this enables us to determine e r (or show that no e exists). 
However, passing directly from e r to e is infeasible due to the large size of r. Thus, 
one also finds e s £ L s for a second well-chosen large number s (= k(m), in Algorithm 
119.11) . and a multiplicative combination of e r and e s yields e scd ( r,s ) £ L gcd ( r,s \ A 
result from analytic number theory shows that r and s can be chosen such that 
gcd(r, s) (= fc, in Algorithm II 9. 1|1 is so small that e, if it exists, can be found from 
e gcd(r,s) ky a re i a tively easy root extraction. The latter step requires techniques 
(Proposition 117.31) of a nature entirely different from those in the present paper, 
and is therefore delegated to a separate publication m ■ 
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While we believe that the techniques introduced here could lead to practical 
algorithms, we did not attempt an actual implementation. Also, any choices and 
recommendations we made were inspired by the desire to give a clean proof of our 
theorem rather than efficient algorithms. 

1.2. Structure of the paper. Sections EHH contain background on integral lat¬ 
tices. In particular, we derive a new bound for the entries of a matrix describing 
an automorphism of a unimodular lattice with respect to a reduced basis (Proposi¬ 
tion 13.41) . Sections [5][7] contain basic material about G-lattices and modified group 
rings. Important examples of G-lattices are the ideal lattices introduced in Section 
[8] In Remark 18.61 we explain how to recover the Gentry-Szydlo algorithm from 
Theorem 11.21 In Sections EM we begin our study of invertible G-lattices, giving 
several equivalent definitions and an algorithm for recognizing invertibility. Section 
M is devoted to the following pleasing result: a G-lattice is G-isomorphic to the 
standard one if and only if it is invertible and has a vector of length 1. In Sections 
MM we show how to multiply invertible G-lattices and we introduce the Witt- 
Picard group of Z(G), of which the elements correspond to G-isomorphism classes 
of invertible G-lattices. It has properties reminiscent of the class group in algebraic 
number theory; in particular, it is a finite abelian group ("Theorems 114.21 and 114.51) . 
We also show how to do computations in the Witt-Picard group. In Section [16] 
we treat the extended tensor algebra A, which is in a sense the hero of story: it 
is a single algebraic structure that comprises all rings and lattices occurring in our 
main algorithm. Section [TT] shows how A can be used to assist in finding vectors 
of length 1. In Section [18] we use Linnik’s theorem from analytic number theory in 
order to find auxiliary numbers in our main algorithm, and our main algorithm is 
presented in Section [l9l 

1.3. Notation. For the purposes of this paper, commutative rings have an identity 
element 1, which may be 0. If I? is a commutative ring, let R* denote the group of 
elements of R that have a multiplicative inverse in R. 

2. Integral lattices 

We begin with some background on lattices and on lattice automorphisms (see 
also |8]). 

Definition 2.1. A lattice or integral lattice is a finitely generated abelian group 
L with a map (•, ■} : L x L —>■ Z that is 

• bilinear: (x , y + z) = (x , y) + (x , z) and ( x + y,z) = ( x , z) + (y, z) for all 
x,y,z £ L, 

• symmetric: (x,y) = (y,x) for all x,y € L, and 

• positive definite: ( x , x) > 0 if 0 ^ x £ L. 

As a group, L is isomorphic to Z n for some n € Z>o, which is called the rank 
of L and is denoted rank(L). In algorithms, a lattice is specified by a Gram matrix 
associated to a Z-basis and an element of a lattice is 

specified by its coefficient vector on the same basis. The inner product (•, •) 
extends to a real-valued inner product on L (&zR and makes L(8>zR into a Euclidean 
vector space. 

Definition 2.2. The standard lattice of rank n is Z" with ( x,y ) = Y^i=i x iyi- 
Its Gram matrix is the n x n identity matrix. 
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Definition 2.3. The determinant det(A) of a lattice A is the determinant of the 
Gram matrix of A; equivalently, det(A) is the order of the cokernel of the map 
A —» Hom(A,Z), x i —y {y i —y (x,y)). A lattice A is unimodular if this map is 
bijective, i.e., if det(A) = 1. 

Definition 2.4. An isomorphism A Ah. M of lattices is a group isomorphism p 
from A to M that respects the lattice structures, i.e., 

(p(x),p(y)) = ( x,y) 

for all x,y £ A. If such a map p exists, then A and M are isomorphic lattices. 
An automorphism of a lattice A is an isomorphism from A to itself. The set of 
automorphisms of A is a finite group Aut(A) whose center contains —1. 

In algorithms, isomorphisms are specified by their matrices on the given bases 
of A and M. 

Examples 2.5. 

(i) “Random” lattices have Aut(A) = {±1}. 

(ii) Letting S n denote the symmetric group on n letters and xi denote semidi- 
rect product, we have Aut(Z”) = {±l} n x> S n . (The standard basis vectors 
can be permuted, and signs changed.) 

(iii) If L is the equilateral triangular lattice in the plane, then Aut(A) is the 
symmetry group of the regular hexagon, which is a dihedral group of order 
12. 

3. Reduced bases and automorphisms 

The main result of this section is Proposition 13.41 in which we obtain some 
bounds for LLL-reduced bases of unimodular lattices. We will use this result to give 
bounds on the complexity of our algorithms and to show that the Witt-Picard group 
(Definition [14J] below) is finite. If A is a lattice and a e A0zR, let |a| = (a, a) 1 / 2 . 

Definition 3.1. If {bi,... ,b n } is a basis for a lattice A, and {6^,..., 6*} is its 
Gram-Schmidt orthogonalization, and 

2—1 

b i = b* + '£ f , ij b* 

3 =1 

with fi-ij € K., then {&i, ..., b n } is LLL-reduced if 

(i) l/Ltjjl < for all j <i < n, and 

(ii) \K\ 2 < 2 \ b *+i\ 2 for all i < n. 

Remark 3.2. The LLL basis reduction algorithm [7] takes as input a lattice, and 
produces an LLL-reduced basis of the lattice, in polynomial time. 

Lemma 3.3. If a = (pij)ij G M(n, K.) is a lower-triangular real matrix with pa = 1 
for all i and \p,ij\ <1/2 for all j < i, and a~ x = then 

( 0 if i <j 

Wij I < < 1 ifi = j 

{HtH 




LATTICES WITH SYMMETRY 


5 


Proof. Define e £ M(n, R) by e-ij = 0 if j > i and e 7 ; y - = i if j < i. Define 
h £ M(n, R) by /ij+i,! = 1 for i = 1,..., n — 1 and hij = 0 otherwise. Then 


oo 1 

e = Y \hP 
^ 2 
1=1 

Thus, 1 — e = (1 — 3h/2)/(l — h ) and 


h 

2(1 - /i)' 


(1 — e) -1 = (l-ft)/(l-3/i/2) 


j=o 


‘' = E '•'-E 


l=o 


1=0 


^ +1 = 


/ 1 

0 

•• o\ 


/ 

0 

0 

• 0 

0 

0\ 

3 

i 

0 



1 

0 

■ 0 

0 

0 

(I ) 2 

3 

2 

•• 0 

- 


3 

2 

1 

■ 0 

0 

0 

V (l)”- 1 

( I )"” 2 • 

•• V 


l 

( I )"" 2 

(I)”- 3 • 

3 

2 

1 

0/ 


which has ij entry 0 if 1 < j, and 1 if i = j, and i (|) ? 3 if i > j. 
Since e n = 0 = (1 — a) n , we have 


n—1 

(1 — e) _1 = ^e 4 and a -1 
2=0 


1=0 


If c = ( Cij)ij £ M(n,M), let |c| denote (| Cij\)ij. If c, d £ M(n,K), then c < d means 
that Cij < dij for all i and j. We have 


n—1 n—1 

|ci X | < y I 1 - «r < y e l = (! - e) _1 . 

2=0 2=0 

This gives the desired result. 


□ 


Proposition 3.4. If {bi,... ,b n } is an LLL-reduced basis for an integral unimod- 
ular lattice L and {&*,...,&*} is its Gram-Schmidt orthogonalization, then 

(i) 2 1-i < \b*\ 2 < 2 n ~\ 

(ii) \bi\ 2 < 2" _1 for all i £ (1,..., n}, 

(iii) |(6j, 6^)1 < 2 n ~ 1 for all i and j, 

(iv) if a £ Aut(L), and for each i we have a(bi) = wa ij ^ 

then || < 3 ra_1 for all i and j. 

Proof. It follows from Definition 13.11 that for all 1 < j < i < n we have \b*\ 2 < 
2- 7_l |b*| 2 , so for all i we have 

2 1 _ *| 6*| 2 < \ b *\ 2 < 2 " _ i | 6 *| 2 . 

Since L is integral we have 

|6*| 2 = |6i| 2 = <6i,&i)>1, 

so \b*\ 2 > 2 1 ~ l . Letting Li = ®>i, we have 

\b*\ = det (Li)/ det (Li_ i) . 
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Since L is integral and unimodular, we have 

| 6 *| = det(L„)/det(L n _i) = l/det(L„_i) < 1 , 

so \b*\ 2 < 2 n ~\ giving (i). 

Since {b*} is orthogonal we have 


I bi\ 2 = | b* | 2 + ^ 4| b* | 2 < 2 n ~ i + -J> 


n-j 


3 =1 


3 =1 

n —2 on—i—1\ 


= 2 n ~ l + (2 n ~ 2 - 2 


= 2 


n—2 | on—i— 1 


< 2 


n— 1 


giving (ii). Now (iii) follows by applying the Cauchy-Schwarz inequality \(bi,bj)\ < 
\bi\\bj\ and (ii). 

For (iv), define {ci,...,c n } to be the basis of L that is dual to {bi,... ,b n }, 
i.e., (cijbj) = 5ij for all i and j. where Sij is the Kronecker delta symbol. Then 
dij = ( Cj,a(bi )) so 

(3.1) \a i3 \ < \cj ||cr(6,;)| = |cj||6j|. 

Define /la = 1 for all i and fiij = 0 if * < j, and let 

M = ( Hij)ij G M(n,R). 


Then 


(61 b 2 ■■■b n ) = (b* 1 b* 2 ■■■b* n )M t . 
For define 


{x, x )' 

This inverse map is characterized by the properties that (a:, a: -1 ) = 1 and Rx _1 = 
Rx; so (x -1 ) -1 = x. Since the basis dual to {b*}i is {(fr*) -1 }i, and M gives the 
change of basis from {&*}; to it follows that the matrix (M 4 ) -1 gives the 

change of basis from {( 6 *) -1 }* to {ci}i. Thus, 

( Cl ... c n ) = ((b* 1 )- 1 (bir^M- 1 . 

Letting (vij)ij = M , by Lemma I .‘1.3 1 we have 

i>j 


with Vii = 


1 and \v i:j \ < | (|) 




if i > j. By (i) we have 


Kfc*)- 1 ! 2 ^- 1 . 
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Thus, 


<E^ 


i>j 


<2'-‘ + sE 2 *- 1 I 


i>j 


i~3 


< + 

= 2 J_1 1 
2i-i 


2 -?" 


E(1 


fc=i 


2 -? 

63 


2 


n—j+l 


<~ ~ 

~ 7 \2 


n —1 n / r\\ n—1 

6/9 


+ 7 V2 


n—1 


Now by (ii) and m we have | ct*j-1 2 < 9" 1 , as desired. 


□ 


Remark 3.5. It is easier to get the weaker bound |g+ < 2^ 2 \ as follows. Write 
bj = bf +y with y G J2i& and bf orthogonal to j With Cj as in the 
proof of Proposition 13.41 we have Cj = {bf) -1 , by the characterizations of (^) _1 
and Cj. Since 

1 = det(L) = det(y^ Zbj)\bf\ 

we have 

| Cj | = |det(^Z60|<ni fc 4<2 (n - 1)2/2 

by Hadamard’s inequality and Proposition 13.4f iih By (13.11) and Proposition 13. 4( hf 
we have ja^ l < 2 (=). 


4. Short vectors in lattice cosets 

We show how to find the unique vector of length 1 in a suitable lattice coset, 
when such a vector exists. 

Proposition 4.1. Suppose L is an integral lattice, 3 < m G Z, and C G L/mL. 
Then the coset C contains at most one element x G L with (x,x) = 1. 

Proof. Suppose x,y G C, with ( x,x } = (y,y) = 1. Since x,y G C, there exists 
w G L such that x — y = mw. Using the triangle inequality, we have 

m(w, w) 1//2 = (x — y,x — y) 1 ^ 2 < (x, x) 1//2 + ( y , y) 1 ^ 2 = 1 + 1 = 2. 

Since m > 3 and ( w , w) G Z>o, we have w = 0, and thus y = x. □ 

Algorithm 4.2. Given a rank n integral lattice L , an integer m such that to > 
2 "/ 2 + 1, and C G L/mL , the algorithm computes all y G C with (z/, j/) = 1. 
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(i) Compute an LLL-reduced basis for mL and use it as in §10 of [ 8 ] to com¬ 
pute y £ G such that (y,y) < ( 2 n — l){x,x) for all x £ G, i.e., to find an 
approximate solution to the nearest vector problem. 

(ii) Compute (y,y). 

(iii) If (y,y) = 1 , output y. 

(iv) If (y,y) ^ 1, output “there is no y £ C with (y,y) = 1”. 

Proposition 4.3. Algorithm ^ -2\ is a deterministic polynomial-time algorithm that, 
given a integral lattice L, an integer m such that m > 2 n / 2 + 1 where n = rank(L), 
and C £ L/mL, outputs all y £ C with (y,y) = 1. The number of such y is 0 or 1. 

Proof. Suppose x £ C with (x, x) = 1. Since x,y £ C, there exists w £ L such that 
x — y = mw. Using the triangle inequality, we have 

m(w,w) 1 ^ 2 = (x — y,x — y) 1 ^ 2 < ( x,x) 1 ^ 2 + (y,?/) 1 ^ 2 < (1 + 2 n ^ 2 )(x, x) 1 ^ 2 < m, 

so (w, w ;} 1 / 2 < 1. Since (w, w) £ Z>o, we have w = 0, and thus y — x. If (y, y) ^ 1, 
there is no x £ C with (x, x) = 1. □ 


5. G-lattices 

We introduce G-lattices and G-isomorphisms. From now on, suppose that G 
is a finite abelian group equipped with a fixed element u of order 2 , and that 
n = #G/2 £ Z. 

Definition 5.1. Let S' be a set of coset representatives of G/(u) (i.e., ffS = n and 
G = S U uS), and for simplicity take S so that 1 £ S. 

Definition 5.2. A G-lattice is a lattice L together with a group homomorphism 
f : G —> Aut(L) such that f(u) = — 1. For each a £ G and x £ L, define crx £ L 
by era; = /(cr)( x). 

The abelian group G is specified by a multiplication table. The G-lattice L is 
specified as a lattice along with, for each a £ G, the matrix describing the action 
of a on L. 

Definition 5.3. If L and M are G-lattices, then a G-isomorphism is an isomor¬ 
phism : L M of lattices that respects the G-actions, i.e., ip(ax) = aip(x) for 
all x £ L and a £ G. If such an isomorphism exists, we say that L and M are 
G-isomorphic, or isomorphic as G-lattices. 

6 . The modified group ring Z(G) 

We define a modified group ring A(G) whenever A is a commutative ring. We 
will usually take A = Z, but will also take A = JjjrnL and Q and C. 

If H is a group and A is a commutative ring, the group ring A[H\ is the set of 
formal sums a ° <T w ith a a G A, with addition defined by 

^ a a a + ^ baV = ^2 (a<r + b a )a 
cr£H a(zH crdzH 

and multiplication defined by 

a °br)p- 

cr€:H t£H ctt=p 
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For example, if H is a cyclic group of order m and h is a generator, then as rings 
we have 

Z[X\/{X m - 1) S Z [H] 

via the map 

m —1 m— 1 

a-iX 1 1 —y a ^- 

2=0 2=0 

Definition 6.1. If A is a commutative ring, then writing 1 for the identity element 
of the group G, we define the modified group ring 

A(G) = A[G\/(u + 1). 

Every G-lattice L is a Z(G)-module, where one uses the G-action on L to define 
ax whenever x £ L and a £ Z(G). This is why we consider A(G) rather than the 
standard group ring A[G\. Considering groups equipped with an element of order 
2 allows us to include the cyclotomic rings Z[A']/(X 2 + 1) in our theory. 

Definition 6.2. Define the scaled trace function t : A(G) A by 

t{ a„a) = ai - a u . 
ereG 

This is well defined since the restriction of t to (zi + l)A[G] is 0. The map t is the 
A-linear map satisfying f(l) = 1, t(u) = —1, and t{a) = 0 if cr £ G and cr ^ 1, u. 

Definition 6.3. For a = J]creG acrfT e -^(G), define 

a = OcrCr” 1 . 
o-eG 

The map a a is a ring automorphism of A(G). Since a = a, it is an involution. 
(An involution is a ring automorphism that is its own inverse.) One can think of 
this map as mimicking complex conjugation (cf. Lemma l7.3f i)). 

Remark 6.4. If L is a G-lattice and x,y £ L 1 then 

{ax, ay) = (x,y) 

for all a £ G by Definition 12.41 It follows that 

{ax,y) = (x,ay) 

for all a £ Z(G). This “hermitian” property of the inner product is the main reason 
for introducing the involution. 

Definition 6.5. For x,y £ Z(G) define (a,’,y)z(G) = t(xy). 

Recall that n = #G/2 and S' is a set of coset representatives of G/(u). The 
following two results are straightforward. 

Lemma 6.6. Suppose A is a commutative ring. Then: 

(i) A{G) = {Z^o-es a ° a '■ a cr £ A} = (& a&s ^a; 

(ii) if a = Seres acrCr *= -4(G), then 

(a) t(a) = ai, 

(b) t{a) = t(a), 

(c) t(aa) = S * e s a l> 

(d) a = S,res i ( cr “ la ) cr ^ 
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(e) if t(ab) = 0 for all b £ A(G), then a — 0. 

Proposition 6.7. (i) The additive group of the ring 1(G) is a G-lattice of rank 

n, with lattice structure defined by (■, ■ )z(G) an ^ G-action defined by ax = ax 
where the right hand side is ring multiplication in 1(G). 

(ii) As lattices, we have 1(G) = 1 n . 

Definition 6.8. We call 1(G) the standard G-lattice. 

The set S of coset representatives for G/(u) is an orthonormal basis for the 
standard G-lattice. 

Example 6.9. Suppose G = H x (it) with H = Z/nZ. Then 

1(G) “ 1[H] “ 1{X\/(X n - 1) 

as rings and as lattices. When n is odd (so G is cyclic), then, sending X to — X, 
we have 

1(G) S* 1[X\/(X n - 1) =* 1{X\/(X n + 1). 

Example 6.10. If G is cyclic, then 1(G) = 1[X\/(X n + 1), identifying X with a 
generator of G. If G is cyclic of order 2 r , then 

1(G) = Z[X]/(X 2r_1 + 1) = 1[C,2 r ], 

where fa is a primitive 2 r -th root of unity. 

Remark 6.11. The ring 1(G) is an integral domain if and only if G is cyclic and 
n is a power of 2 (including 2° = 1). (If g £ G is an element whose order is odd or 
2, and g (jL {1, it}, then g — 1 is a zero divisor.) 

7. The modified group ring over fields 

The main result of this section is Lemma l7.31 which we will use repeatedly in the 
rest of the paper. Recall that G is a finite abelian group of order 2 n equipped with 
an element u of order 2. If R is a commutative ring, then a commutative i?-algebra 
is a commutative ring A equipped with a ring homomorphism from R to A. 

If K is a subfield of C and E is a commutative I\ -algebra with dim^(E) < oo, 
let denote the set of RT-algebra homomorphisms from E to C. Then C® E is a 
C-algebra with coordinate-wise operations. The next result is not only useful for 
studying modified group rings, but also comes in handy in Proposition 116.21 below. 

Lemma 7.1. Suppose K is a subfield of C and E is a commutative K-algebra with 
dimx(E) < oo. Assume ff<&E = dim^E). Then: 

(i) identifying <f>£; with 

{C-algebra homomorphisms Ec = C <8 >a E —>• C}, 

the map Ec —>• C® E , x (<p(x)) ¥ , 6 $ E is an isomorphism of C- algebras; 
( U ) Wt/?) = 0 in E; 

(iii) there is a finite collection {Kj}j =1 of finite extension fields of K such that 

E = K\ x • • • x K d 


as K-algebras. 
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Proof. By the Corollaire to Proposition 1 in V.6.3 of [2j, the set is a C-basis 
for Homif(i?, C) = Homc(£c,C), so the C-algebra homomorphism in (i) is an 
isomorphism. Part (ii) follows immediately from (i). 

By Proposition 2 in V.6.3 of j2j, the A-algebra E is what Bourbaki calls an etale 
A'-algebra, and (iii) then follows from Theorem 4 in V.6.7 of [2] . □ 

Definition 7.2. Let T denote the set of ring homomorphisms from Q(G) to C. 
We identify with the set of A'-algebra homomorphisms from K(G) to C, where 
A is any subfield of C. The set T can also be identified with the set of group 
homomorphisms if : G —> C* such that if(u) = — 1. 

We have #4/ = n , since #Hom(G, C*) = ffG = 2n and the restriction map 
Hom(G, C*) —>• Hom({«), C*) is surjective. This allows us to apply Lemma I7TT1 with 
E = K(G). If a £ C(G), then a acts on the C-vector space C(G) by multiplication, 
and for if £ 4/ the if (a) are the eigenvalues for this linear transformation. Lemma 
I7.3f iij justifies thinking of the map t of Definition 16.21 as a scaled trace function. 

Lemma 7.3. (i) If ip £ 4/, then if (a) = if (a) for all a £ R(G). 

(ii) If a £ C (G), then t(a ) = ± V’(o)- 

(iii) If K is a subfield ofC, then ker(^) = 0 in K(G). 

(iv) The map C(G) —>• x H > (if(x))^,^ is an isomorphism of C- algebras. 

(v) There are number fields K\, ..., K d such that 

Q(G) “ K x x • • • X K d 

as Q-algebras. 

(vi) Suppose K is a sub field of<C and a £ I\(G). Then a £ K(G}* if and only if 
if (a) ^ 0 for all if €'ll. 

(vii) If z £ R(G) is such that if(z) £ R for all if £ W and Yhpe-y if{xxz) > 0 for 
all x £ R(G), then if{z) > 0 for all if £ ^. 

Proof. For (i), since G is finite, if (cr) is a root of unity for all <r £ G. Thus, 

if(<j) = ^(cr) -1 = ificr -1 ) = if (a). 

The R-linearity of if and of Aut(C/R) now imply (i). 

We have 

■0e , i' 

and 

- E = _1 = *(«). 

and for each cr ^ (u) we have 

E W = - E = - E (a mod (u)) = 0 = nt{a). 

V'S’J' *eHom(c,c*) i/’£Hom(G/(u),C*) 

Extending C-linearly gives (ii). 

If A is a subfield of C, then = n = dim^A(G). Thus we can apply Lemma 
rm giving (iii), (iv), and (v). 
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By (iv) we have C(G)* —> (C*)' 1 '. This gives (vi) when K = C. If I\ is a subfield 
of C and x £ K(G)C\C(G)* then multiplication by x is an injective map from K(G) 
to itself, so is also surjective, so x £ K(G)*. Thus 

K(G)* = K{G) n C(G)*, 

and (vi) follows. 

For (vii), applying Lemma lT.lI iiil with I\ = R gives an K.-algebra isomorphism 


R(G) R r x C s . 

The set ’P = {ipj}j=l s consists of the r projection maps ifj : M(G) -> I C C for 
1 < j < r, along with the s projection maps ifj : K(G) — > C and their complex 
conjugates ips+j = ifj for r + 1 < j < r + s. By (i), if 


X = (x-L,.. -,x r ,yi, ■ ■ ■ ,y s ) £ R r x C s , 

then 


x = (x 1 ,...,x r ,y 1 ,...,y s ). 

Taking x to have 1 in the j-th position and 0 everywhere else, we have 


0 < i/j(xxz) 
1 


ipj(z) if 1 < j < r 
2 ipj(z) otherwise, 


giving (vii). 


□ 


8. Ideal lattices 

As before, G is a finite abelian group of order 2 n equipped with an element u 
of order 2. Theorem 18.21 below gives a way to view certain ideals I in Z(G) as 
G-lattices, and Theorem 18.51 characterizes the ones that are G-isomorphic to Z(G). 

Definition 8.1. A fractional Z(G)-ideal is a finitely generated Z(G)-module in 
Q(G) that spans Q(G) over Q. An invertible fractional Z(G)-ideal is a fractional 
Z(G)-ideal I such that there is a fractional Z(G)-ideal J with IJ = Z(G), where 
IJ is the fractional Z(G)-ideal generated by the products of elements from / and 
J. 

Theorem 8.2. Suppose I C Q(G) is a fractional Z{G)-ideal and w £ Q(G). Sup¬ 
pose that II C Z(G) • w and if{w) £ R.>o for all if £ 'll. Then: 

(i) W = w; 

(ii) w £ Q(G)*; 

(iii) I is a G-lattice, with G-action defined by multiplication in Q(G), and with 
lattice structure defined by 

(x,y)i, w = t 

with t as in Definition \6.2i 
Proof. By Lemma Oi) we have 

if(w) = ip{w) = ip(w) 

for all if £ U/. Now (i) follows from Lemma [7.31' iiih Lemma 1 7..3 f vii implies (ii). 
Note that ^ £ Z(G), since II C Z(G) • w. Part (iii) now follows from (i) and (ii) 
of Lemma o □ 
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Notation 8.3. Let / and w be as in Theorem l8.2l Define to be the G-lattice 

I with lattice structure defined by ( x,y)i, w = t{xy/w). 

Example 8.4. We have L(z(G).i) = 2(G). 

Theorem 8.5. Suppose that I\ and I 2 are fractional Z(G) -ideals, that wi,W 2 6 
Q(G), that I\I\ C 2(G) • w\ and I 2 I 2 C 2(G) • W 2 , and that 'ij){wi),ip{w 2 ) £ R>o 
for all if £ U/. Let Lj = L^j. w .^ for j = 1,2. Then sending v to multiplication by 
v gives a bijection from 

{i> G Q(G) : I\ = vl 2 ,wi = VVW 2 } to {G-isomorphisms L 2 —t L 1} 
and gives a bijection from 

{u G Q(G) : Ii = vZ(G),w 1 = vv} to {G-isomorphisms 2(G) —> Li}. 

In particular, Li is G-isomorphic to 2(G) if and only if there exists v G Q(G) such 
that I\ = ( v ) and w 1 = uu. 

Proof. Every Z(G)-module isomorphism : L 2 —> L\ extends to a Q(G)-module 
isomorphism 

L 2 <8> Q = Q(G) —> Li Q = Q(G), 

and any such map is multiplication by some v G Q(G)*. Conversely, for v G Q (G), 
multiplication by u defines a Z(G)-module isomorphism from L 2 to L\ if and only 
if I\ = VI 2 ■ When I\ = u/2, multiplication by v is a G-isomorphism from L 2 to L\ 
if and only if w\ = VVW 2 ', this follows from Lemma l6.61 iil (e). since for all a, b G I 2 
we have 

(a, b)i 2tW2 = t ( — ) and (av , bv)i 1 , Wl = t 

\w 2 J 

This gives the first desired bijection. Taking I 2 = Z(G) and W 2 = 1 gives the second 
bijection. □ 

Remark 8.6. We next show how to recover the Gentry-Szydlo algorithm from 
Theorem o The goal of the Gentry-Szydlo algorithm is to find a generator v of 
a principal ideal I of finite index in the ring R = ’L\X]/(X n — 1), given vv and a 
Z-basis for I. Here, n is an odd prime, and for 

n— 1 

V = v{X) = a i Xi 6 R, 
i =0 

its “reversal” is 

n— 1 

v = u(X -1 ) = a 0 + ^2 a n -iX l G R. 

i—l 

We take G to be a cyclic group of order 2 n. Then R = Z(G) as in Example 16.91 
and we identify R with Z(G). Let w = vv G 2(G) and let L = L(/ lU; ) as in Notation 
18.31 Then L is the “implicit orthogonal lattice” in §7.2 of [¥j. Once one knows w 
and a Z-basis for J, then one knows L. Theorem 11.11 produces a G-isomorphism 
ip : Z(G) —► L in polynomial time, and thus (as in Theorem 18.51) gives a generator 
v = <p(l) in polynomial time. 
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9. Invertible G-lattices 

Recall that G is a finite abelian group of order 2n, with a fixed element u of 
order 2, and S' is a set of coset representatives for G/(u). In Definition 19.41 we 
introduce the concept of an invertible G-lattice. The inverse of such a lattice L is 
the G-lattice L given in Definition 19.II 

Definition 9.1. If L is a G-lattice, then the G-lattice L is a lattice equipped with 
a lattice isomorphism 

L —> L, x i ^ ~x 

and a group homomorphism G —> Aut(L) defined by 

ax = cr -1 x 


for all a £ G and x £ L, i.e., 

~ax = a : x. 

Existence follows by taking L to be L with the appropriate G-action. The G- 
lattice L is unique up to G-isomorphism, and we have L = L. 

Definition 9.2. If L is a G-lattice, define the lifted inner product 

• :LxL -A Z (G) 
by 

x-y= ^2(x,ay)a £ Z(G). 

<t es 

This lifted inner product is independent of the choice of the set S, and is Z(G}- 
bilinear; in fact, it extends Q-linearly, and for all x, y € and for all a £ Q(G) 

we have 

(9.1) (ax) -y = x ■ (ay) = a(x -y), 


(9.2) (x,y) = t(x ■ y), 

and x -y = y -x. 

Example 9.3. If /, w, and L(i, w ) are as in Theorem 18.21 and Notation 18.31 then 
L(i,w) = Lq w y and applying Lemma ItTfi! ii) (d) with a = ^ shows that x ■ y = 

In particular, if L = Z(G), then L = Z(G) with — having the same meaning as in 
Definition 16.31 for A = Z, and with • being multiplication in Z(G). Note that when 
w ^ 1, ideals / in Z(G) do not inherit their lifted inner product from that of Z (G). 

Definition 9.4. A G-lattice L is invertible if the following three conditions all 
hold: 

(i) rank(L) = n = #G/2; 

(ii) L is unimodular (see Definition 12.31) : 

(iii) for each m £ Z>o there exists e m £ L such that 

{ae m + mL : a £ G} 
generates the abelian group L/mL. 
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It is clear from the definition that invertibility is preserved under G-lattice iso¬ 
morphisms. Definition 19.41 implies that L/mL is a free (Z/mZ)(G)-module of rank 
one for all to > 0. Given an ideal, it is a hard problem to decide if it is princi¬ 
pal. But checking (iii) of Definition 19.41 is easy algorithmically; see Algorithm 110.31 
below. 

Lemma 9.5. If L is a G-lattice and L is G-isomorphic to the standard G-lattice, 
then L is invertible. 

Proof. Parts (i) and (ii) of Definition 19.41 are easy. For (iii), observe that the group 
Z(G) is generated by {crl : a £ G}, so the group L is generated by {ere : a £ G} 
where e is the image of 1 under the isomorphism. Now let e m = e for all to. □ 

10. Determining invertibility 

Fix as before a finite abelian group G of order 2 n equipped with an element u 
of order 2. 

Algorithm ll0.3l below determines whether a G-lattice is invertible. In Proposition 
110.41 we show that Algorithm 110.31 produces correct output and runs in polynomial 
time. 

In [10] we obtain a deterministic polynomial-time algorithm that on input a 
finite commutative ring R and a finite A-module M, decides whether there exists 
y £ M such that M = Ry , and if there is, finds such a y. Applying this with 
R = Z(G)/(m) and M = L/mL gives the algorithm in the following result. 

Proposition 10.1. There is a deterministic polynomial-time algorithm that, given 
G, u, a G-lattice L, and to £ Z>o, decides whether there exists e m £ L such that 

{ue m + mL : a £ G} 

generates L/mL as an abelian group, and if there is, finds one. 

Lemma 10.2. Suppose that L is a G-lattice, to £ Z>i, and e £ L. Then: 

(i) {<re + mL : a £ G} generates L/mL as an abelian group if and only if 

L/CZ(G) ■ e ) is finite of order coprime to to; 

(ii) i/rank(L) = n and L/(Z(G) • e) is finite, then the map 

Z(G) —»• Z(G) • e, a£«e 
is an isomorphism of Z(G) -modules. 

Proof. The set {ae + mL : a £ G} generates L/mL as an abelian group if and only 
if L = Z(G)e + mL, and if and only if multiplication by to is surjective as a map 
from L/(Z(G) • e) to itself. Since L/(Z(G) • e) is a finitely generated abelian group, 
this holds if and only if L/(Z(G) • e) is finite of order coprime to to. This gives (i). 

Now suppose that rank(L) = n and L/(Z(G) • e) is finite. The map in (ii) is 

clearly Z(G)-linear and surjective. Since Z(G) and Z(G)e both have rank n over 
Z, the map is injective. □ 

Algorithm 10.3. Given G, it, and a G-lattice L, the algorithm decides whether L 
is invertible. 

(i) If rank(L) ^ n, output “no” (and stop). 

(ii) Compute the determinant of the Gram matrix for L. If it is not 1, output 
“no” (and stop). 
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(iii) Use Proposition 110.11 to determine if ei (in the notation of Definition 
I9.4f iii)) exists. If no e2 exists, output “no” and stop. Otherwise, use 
Proposition 1 10. II to compute e2 £ L. 

(iv) Compute the order q of the group L/ (Z(G) • e2). 

(v) Use Proposition llO.il to determine if e q exists. If no e q exists, output “no”. 
Otherwise, output “yes”. 

Proposition 10.4. Algorithm 1 10. A is a deterministic polynomial-time algorithm 
that, given G, u, and a G-lattice L, decides whether L is invertible. 

Proof. If Step (ii) outputs “no” then L is not unimodular so it is not invertible. 
We need to check Definition 19 .41 iii) for all to’s in polynomial time. We show that it 
suffices to check two particular values of to, namely to = 2 and q. By Lemma ll0.2f i'). 
the group L/(Z(G) • e2) is finite of odd order q. If no e q exists, L is not invertible. 
If e q exists, then for all to £ Z>o there exists e m £ L that generates L/mL as a 
Z(G)/(TO)-module, as follows. We can reduce to to being a prime power p*, since 
if gcd( to, to') = 1 then L/mm'L is free of rank 1 over Z (G}/(mm’) if and only if 
L/mL is free of rank 1 over Z(G)/(m) and L/m'L is free of rank 1 over Z(G)/(m'). 
Lemma flO.21 i) now allows us to reduce to the case m = p. If p does not divide q, 
we can take e p = e^- If p divides q , we can take e p = e q . □ 


11. Equivalent conditions for invertibility 

In this section we prove Theorem 111.11 which gives equivalent conditions for 
invertibility. 


Theorem 11.1. If L is a G-lattice, then the following statements are equivalent: 

(a) L is invertible; 

(b) the map tp : L<S>z(g)L Z(G) defined by p{x®y) = x-y is an isomorphism 
of Z(G) -modules, where ■ is defined in Definition \9.2[ 

(c) there is a Z(G) -module M such that L®^q^ M and Z(G) are isomorphic 
as Z(G) -modules, and as a lattice L is unimodular; 

(d) L is G-isomorphic to L^ Iw ^ for some fractional Z(G) -ideal I and some 
w £ Q(G)* such that II = Z(G) • w and ip(w) £ M>o for all if £ 'k, with 
L(i, w ) as i n Notation \8.3l 

We will prove Theorem 111.11 in a series of lemmas. The equivalence of (a) and 
(c) says that being invertible as a G-lattice is equivalent to being both unimodular 
as a lattice and invertible as a Z(G)-module. 

Definition 11.2. Suppose R is a commutative ring. An P-module is projective 
if it is a direct summand of a free -ff-module. An A-module M is flat if whenever 
Nj c —>• N 2 is an injection of f?-modules, then the induced map 

M (£>}j N\ —> M <Sir N 2 


is injective. 


Lemma 11.3. Suppose that L is a Z-free Z(G )-module of rank ffG/2, and for each 
to £ Z>o there exists e m £ L such that 

{ae m + mL : er £ G} 

generates the abelian group L/mL. Then: 
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(i) there is a Z(G) -module M such that L(BM and^{G)® r L{G) are isomorphic 
as Z(G)-modules, and 

(ii) L is projective and flat as a Z(G) -module. 


Proof. Let q = (L : lj{G)ef). By Lemma n.0.2f iL we have that q is finite and odd. 
Let r = (L : r L[G)e q ). By Lemma liO-SI i). we have that r is finite and coprime to q. 
Take a, b £ Z such that ar + bq= 1. Let TV = Z(G)e 2 © Z(G)e g . By Lemma UtOt ii) 
we have TV = Z(G) © Z(G) as Z(G)-modules. Define 


p : TV —>■ L by 


and 

s : L — » TV by 

Then p o s is the identity on L. Thus, 


(x,y) ^ x + y 
x ( bqx , arx). 


L © ker(p) = TV = Z(G) © Z(G) 

as Z(G)-modules. So (i) holds with M = ker(p). Since L is a direct summand of 
a free module, L is projective. All projective modules are flat (by Example (1) in 
1.2.4 of [3]). □ 


Recall that the notions of fractional Z(G)-ideal and invertible fractional Z(G)- 
ideal were defined in Definition EH 


Lemma 11.4. If I is an invertible fractional Z(G) -ideal, then: 

(i) if m £ Z>o, then I/ml is isomorphic to (Z/mZ)(G) as a Z(G) -module; 

(ii) I is flat; 

(iii) if I' is a fractional Z(G) -ideal, then the natural surjective map 

I <8>Z(G) I' “^ II' 

is an isomorphism. 

Proof. Since I is an invertible fractional Z(G)-ideal, there is a fractional Z(G)-ideal 
J such that IJ = Z(G). Let T denote the partially ordered set of fractional Z(G)- 
ideals. The maps from T to itself defined by f± : TV i—»• TV/ and fi '■ TV i-a TVJ are 
inverse bijections that preserve inclusions. Since /i(Z(G)) = I, it follows that the 
maximal Z(G)-submodules of I are exactly the ml such that m is a maximal ideal 
of Z(G). By the Chinese Remainder Theorem, the map I —» I /ml is surjective, 

where the product runs over the (finitely many) maximal ideals m that contain to. 
It follows that there exists x £ I that is not contained in any m/. Since Z (G)x + ml 
is a fractional ideal that is not contained in any proper submodule of I, it equals 
I. Thus, I/ml is isomorphic to (Z/toZ)(G) as a Z(G)-module. This proves (i). 
For (ii), apply (i) and Lemma fll.3l iib 
Since I is flat, the natural map 

I ®z(G) I' —t I ®z (G) Q(G) — I <8 >z(g) Z(G) Q = I <8>z Q = Q(G) 
is injective, giving (iii). □ 

Let Lq = L ©z Q. Then the inner product ( , ) on L extends Q-bilinearly to a 
Q-bilinear, symmetric, positive definite inner product on Lq, and the lifted inner 
product • extends Q-bilinearly to a Q(G)-bilinear map ■ from Lq x Lq to Q(G). 

Lemma 11.5. Suppose L is an invertible G-lattice. Then Lq = Q(G)y for some 
7 € Lq. For such a 7 , letting z = 7-76 Q(G) we have: 
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(i) ( 07 , 67 } = t(abz) for all a,b G 0 (G), 

(ii) ^ G 0(G)*, 

(iii) for all ip G d* we have if(z) G R>o, 

(iv) L-L = Z(G), 

(v) if I = {x G 0(G) : X 7 G L}, f/ien // = Z(G)z _1 and as G-lattices we have 
L (i,z-i) = L. 

Proof. By Definition l9.4f iii) and Lemma ll0.2f i) we have that for all m G Z>i there 
exists e m G L such that the index i(m) = ( L : Z(G)e m ) is finite and coprime to m. 
It follows that 0(G) = Lq as 0(G)-modules. Let 7 G Lq be the image of 1 under 
such an isomorphism 0(G) —> Lq. Then Lq = 0(G) 7 . Let 

2 ; = 7 -7 G 0(G). 

By (EU and (19.21) . for all a, b G 0(G) we have 

( 07 ) • ( 67 ) = 0(7 • ( 67 )) = 06(7 • 7 ) = abz 


and thus 

(07, 67) = t((aj) • (67)) = i(a&z), 

giving (i). Since the inner product on Lq is symmetric, using Lemma l6.6l iif lei we 
have z = z. Thus for all if G ’L we have 


ip(z) = if{z) = ip(z) 

by Lemma 17314 1. so if{z) G R. For all a G 0(G) we have 

0 < (07,07) = t(aaz) = — Y %/j(aaz) 

n z -—' 


by Lemma E3(ii). By Lemma I7.df viif it follows that ip(z) > 0 for all 1) G 4 1 . If 
a G 0(G) and za = 0, then 


(07,07) = t(aaz) = 0, 


so a = 0. Therefore multiplication by z is an injective, and thus surjective, map 
from 0(G) to itself. Thus 2 G 0(G)* and 'ib(z) G R>o for all xb G T, by Lemma 
Ovi). This gives (ii) and (iii). 

Define 

L - 1 = {y eLq: L-y C Z(G)} 
and let m G Z>i. We have 

L D Z (G)e m D i(m)L, 

so e m G 0(G)*7 and therefore e m -eLn G 0(G)*. Now 

z(v7i)(e m * e m ) e m G L , 


because for all a; G L one has 


i(m)x • (e m • e m ) e m C Z(G)e m • (e m • e m ) e m — Z(G). 

Therefore 

i(m) = e m ■ i{m){e m • e^) _1 ejjT G L ■ L _1 C Z(G). 

This is true for all m G Z>i, so 1 G I ■ L _1 and L • L _1 = Z(G). 

Now for y G Lq one has y G L if and only if y G L, if and only if for all x G L one 
has (x, y) G Z, if and only if for all x G L and <7 G G one has (x, cry) = (cr _1 x, y) G Z, 
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if and only if for all x £ L one has x-y £ Z(G), if and only if y £ L~ x . So L = L -1 . 
Thus L ■ L = Z(G), giving (iv). 

If I C Q(G) is such that L = 1 7 , then I L, 11 -> 2:7 as Z(G)-modules. Then 
Z(G) = L • I = /Ty ■ 7 = Jlz, 

so 77 = Z(G)z~ 1 . Now 

<X 7 , 3 / 7 ) = t(x 7 • j/ 7 ) = t(xyz) = (x, y ) I>z -1 
for all x,y £ I. Thus, L ^ Iz -7 = L as G-lattices. This gives (v). □ 

We are now ready to prove Theorem lll.il 
For (a) => (d), apply Lemma Til. 51 with u> = z~ l . 

For (d) => (b), by (d) we have L 0z(g> L = I ®z(G) I- Using Lemma Hi. dl iiil we 
have that the composition 

7 0 7 A 77 = 7j(G)w A Z(G) 

is an isomorphism, where the first map sends x 0 y to xy and the last map sends 
a to a/w. Since x ■ y = xy/w , this gives (b). 

For (b) => (c), suppose (b) holds, i.e., the map 

^:I0z(G)7^Z(G), 105417 

is an isomorphism of Z(G)-modules. Then L is unimodular, as follows. Consider 
the maps: 

L —> Hom Z { G )(L, Z(G)) -4 Hom(7,Z) -4 Hom(L,Z) 
where the left-hand map is the Z(G)-module isomorphism induced by ip, defined 
by 1 4 (j 4 1 ■ 5), the middle map is / 1-4 to/, and the right-hand map is 
g 1-4 (y 1-4 g(y)). The latter two maps are group isomorphisms; for the middle map 
note that its inverse is 

/ 4(i4^ /(cr —1 x)cr). 

a-eS 

The composition, which takes a: to 

( 2 / | -t t(x-y) = (x,y)), 

is therefore a bijection, so L is unimodular. Then (c) holds by taking M = L. 

For (c) =>■ (a), by Lemma 17310 1 we have Q(G) = Iljgj Kj with -jj-J < 00 and 
fields Kj. Each Q(G)-module V is V = Tljej U? with each Vj a 77,-vector space. 
With V = L 0z Q and W = M 0z Q we have 

nw y ®Q<g> W - Q(G) - n Kj. 

KJ j 

This holds if and only if for all j we have 

{dim Kj Vj)(dim K .Wj) = 1, 
which holds if and only if for all j we have 

dim Kj Vj = dim^Wj = 1. 

This holds if and only if V = W = Q(G) as Q(G)-modules. Thus, L and M may 
be viewed as fractional Z(G)-ideals in Q(G), and LM is principal, so L and M are 
invertible fractional Z(G)-ideals. By Lemma H 1.41 i), if 7 is an invertible fractional 
Z(G)-ideal, then I/ml is cyclic as a Z(G)-module, for every positive integer to. 
Thus L/mL is cyclic as a Z(G)-module, so (a) holds. 
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This concludes the proof of Theorem 111.11 

12. Short vectors in invertible lattices 

Recall that G is a group of order 2 n equipped with an element u of order 2. 
The main result of this section is Theorem 112.41 which shows in particular that a 
G-lattice is G-isomorphic to the standard G-lattice if and only if it is invertible and 
has a short vector (i.e., a vector of length 1). 

Definition 12.1. We will say that a vector e in an integral lattice L is short if 
(e,e) = 1. 

Example 12.2. The short vectors in the standard lattice of rank n are the 2 n 
signed standard basis vectors 

{( 0 , ■ ■ •, 0 , ± 1 , 0 ,..., 0 )}. 

Thus, the set of short vectors in Z(G) is G. 

Proposition 12.3. Suppose L is an invertible G-lattice. Then: 

(i) if e is short, then {a £ G : ae = e} = {1}; 

(ii) if e is short, then 

( 1 ifa = 1, 

(e, ere) = < — 1 if a = u, 

I 0 for all other a £ G; 

(iii) e £ L is short if and only if e ■ e = 1, with inner product ■ defined in 
Definition 1,9. SI 

Proof. Suppose e £ L is short. Let 

H = {a £ G : ae = ej. 

For all a £ G, by the Cauchy-Schwarz inequality we have 

|<e, cre)| < ((e,e)(cre,cre)) 1/2 = (e, e) = 1, 
and | (e, ere) | = 1 if and only if e and ae lie on the same line through 0. Thus 

(e,ae) £ {1,0,-1}. 

Then ( e,ae ) = 1 if and only if a £ H. Also, (e,<re) = —1 if and only if ae = —e 
if and only if er £ Hu. Otherwise, (e, ae) = 0. Thus for (i,ii), it suffices to prove 
H = {1}. Let m = ffH. 

Let T be a set of coset representatives for G mod H (u) and let S = T ■ H , a set 
of coset representatives for G mod ( u). If 

a = a a a £ (fL/rnL){G) 

<t es 

is fixed by H , then a Ta = a a for all a £ S and t £ H, so 

a £ ( J2 T ) (Z/mZ)(G). 

\tGH / 

By Definition 19.41 Theorem lll.il and Lemma Til. 41 there is a Z[U]-module isomor¬ 
phism 


L/m,L = (Z/mZ)(G). 
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Since e + mL is fixed by H , we have 

e + mL G 

so e m G toT + E T £H r )^- Write 

e = mei + I ^ r I £ 2 

\t<EH ) 

with £\,£2 G L. Since 

(e,T£ 2 ) = (Te,T£ 2 ) = (e,e 2 ) 

for all r G H , we have 

1 = (e, e) = m(e, £1) + (e, te 2 ) = m(e, £1 + £2) = 0 mod m. 

t£H 

Thus, to = 1 as desired. Part (iii) follows directly from (ii) and Definition 19.21 □ 


5Z T I ( L / mL )’ 




This enables us to prove the following result. 

Theorem 12.4. Suppose L is a G-lattice. Then: 

(i) if L is invertible, then the map 

{G-isomorphisms 21(G) -A L} —> {short vectors of L} 
that sends f to f{ 1) is bijective; 

(ii) if e £ L is short and L is invertible, then {ae : a G G} generates the 
abelian group L; 

(iii) L is G-isomorphic to 21(G) if and only if L is invertible and has a short 
vector; 

(iv) if e G L is short and L is invertible, then the map 

G —>• {short vectors of L}, a ^ ae 

is bijective. 

Proof. For (i), that /(1) is short is clear. Injectivity of the map / /(1) follows 

from Z(G)-linearity of G-isomorphisms. For surjectivity, suppose e G L is short. 
Proposition ll2.3f ii! says that {ae} a& s is an orthonormal basis for L. Parts (ii) and 
(i) now follow, where the G-isomorphism / is defined by x 1 —> xe for all x G Z(G). 
Part (iii) follows from (i) and Lemma [9.51 Part (iv) is trivial for 21(G), and L is 
G-isomorphic to 21(G), so we have (iv). □ 


13. Tensor products of G-lattices 

Recall that G is a finite abelian group with an element u of order 2. We will 
define the tensor product of invertible G-lattices, and derive some properties. See 
mi for background on tensor products. 

Definition 13.1. Suppose that L and M are invertible G-lattices. Define the 
21(G)-bilinear map 

• : (L 0z(g> -W) x {L <8>%(g) M) 21(G), (a, b) 1-> a ■ 6 

by letting 

(i®i))-(f®f) = (i' y) (v ■ w) 
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for all x,y £ L and v,w € M and extending Z(G)-bilinearly. Take 

L <8>z(G) M 

to be L <g> z << 3 ) M, with 

x <S> v = x 0 v. 

Example 13.2. Let L = L(/ li?Ul ) and M = L(/ 2ltU2 ) where Ii,h are fractional 
Z(G)-ideals, Wi,W2 £ Q(G)* are such that ip(wi) £ M>o for all if £ T, and = 
Z (G)wi for * = 1,2. Then L <g>z(G) J bf may be identified with I 1 I 2 via Lemma H 1.41 
and L <8 >z<g> M may be identified with /i/ 2 , and the dot product 

I 1 I 2 x -Z 1/2 —> Z(G) 

from Definition 113.11 becomes a-b = ab/{w\W 2 ) as in Example 19.31 This is precisely 
the lifted inner product of the G-lattice L( Ill2 tW1W2 ) (which is invertible by Theorem 
111.11) . We thus have 

(13.1) -^(/i,u?i) ®z(G) G(^j 2 W2 ^ L^j 1 i 2 W - 1 w2)' 

Theorem 13.3. Let L and M be invertible G-lattices. Then L <8>z(G) M is an 
invertible G-lattice with inner product 

(a, b) = t(a ■ b), 

where the dot product is defined in Definition \13.1\ and equals the lifted inner product 
for this G-lattice. 

Proof. By Theorem lll.il we may assume that L = and M = L^j 2tW2 ^ where 

h,I 2 are fractional Z(G)-ideals, wi,W 2 £ Q(G)* are such that if(wi) £ R>o for all 
if £ and Iih = Z (G)wi for * = 1,2. In this case, we already checked the theorem 
in Example 113.21 □ 

Proposition 13.4. Suppose that L, M, and N are invertible G-lattices. Then we 
have the following G-isomorphisms: 

(i) L <8>z(g> M = M ®z(G) L, 

(ii) (L ®z(G) M) <8>z(G) N = L <S>z{g) (M <8>z (G) N), 

(iii) L ®z{G) ^{G) = L, 

(iv) L ®z(G) L = Z(G). 

Proof. By Theorem lll.ll we may reduce to the case where the invertible G-lattices 
are of the form L(/ iUJ ). Then (113.11) immediately gives (i) and (ii). For (iii) and 
(iv), note that Z(G) = L(z(G}.i)j and if L = L^ Iw \ then 

^ ^( 7 , w) ^ (Iw- 1 ,w- x ) 

□ 

Remark 13.5. One can extend parts (i), (ii), and (iii) of Proposition 113.41 to 
general G-lattices, by replacing L <8>z(G) M by its image in Lq <8>q(g) Mq. That 
image is a G-lattice with lifted inner product given by the same formula. 
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14. The Witt-Picard group 

This section, which is mostly a digression, is devoted to what we call the Witt- 
Picard group WPic Z (G) ■ The results of this section are not directly used later, with 
the exception of the proof of Theorem 114.51 but it may be said that the properties 
of WPic Z (G), in particular its finiteness, are what makes our algorithms possible. 
Also, several of our results admit an attractive reformulation in terms of WPic Z (G)- 
As before, G is a finite abelian group of order 2 n equipped with an element u of 
order 2. 

Definition 14.1. We define 

WPic Z (G) = {[L] : L is an invertible G-lattice}, 

where the symbols [L] are chosen so that [L] = [M] if and only if L and M are 
G-isomorphic. 

Theorem 14.2. The set WPic Z (G) is an abelian group, with group operation defined 
by 

[L\ ■ [M] = [L M], 
with identity element [Z(G)], and with 

[L]- 1 = M 

Proof. This follows immediately from Theorem 113.31 and Proposition 113.41 □ 

Corollary 14.3. Suppose that L and M are invertible G-lattices. Then L and M 
are G-isomorphic if and only if L <8> Z (G) M and Z(G) are G-isomorphic. 

Proof. This follows immediately from Theorem 114.21 More precisely, 

[L] = [M] 

MM]- 1 = 1 = MG)] 

[L <8>z(G) M\ = [Z(G)] 

L (G) M =g 2(G) 

where =g means G-isomorphic. □ 

The following description of WPic Z (G) is reminiscent of the definition of class 
groups in algebraic number theory. 

Proposition 14.4. Let T Z (g) denote the group of invertible fractional Z(G) -ideals. 
Then the group WPic Z (G) is isomorphic to the quotient of the group 

{(/, w) € I z ( g> x Q(G)* : II = h{G)w and if(w) £ R>o for all if) £ T} 

by its subgroup {(Z (G)v,vv) : v £ Q(G)*}. 

Proof. Define the map by ( I,w ) i-A [L (/m)]. Surjectivity follows from Theorem 
EU and the kernel is the desired subgroup by Theorem 18.51 □ 

Just as for the class group, we have: 

Theorem 14.5. The group WPic Z (G) is finite. 
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Proof. If L is an invertible G-lattice and {bi ,..., b n } is an LLL-reduced basis, and 
for cr € G we have cr(6j) = Xg=i a ij^bj with a ij' > £ Z, then 

\(b i ,b j )\<2 n - 1 and |a<J>| < 3”- 1 

for all i, j, and a , by Proposition I3.4f iiil and (iv). Thus there are only finitely 
many possibilities for 

If V is also an invertible G-lattice with LLL-reduced basis {b [,..., b' n }, and if we 
have 

{bi,bj) = {b’i, b'j ) and 

for all i, j, and cr, then the group isomorphism 

L -a L , bi i—> 6j 

is an isomorphism of G-lattices. The finiteness of WPicz(G) now follows. □ 

We call WPicz(G) the Witt-Picard group of Z(G). The reason for the nomen¬ 
clature lies in Theorem HOI If R is a commutative ring, an invertible P-module 
is an R-module L for which there exists an i?-module M with L M = R. The 
Picard group Pic/j is the set of invertible i?-modules up to isomorphism, where the 
group operation is tensoring over R. This addresses the module structure, while 
Witt rings reflect the structure as a unimodular lattice. 

We remark that one can formulate algorithms for WPicz(G); as follows. Elements 
[L] £ WPicz(G) are represented as L with an LLL-reduced basis. 

Proposition 14.6. There are deterministic polynomial-time algorithms for: 

(i) finding the unit element, 

(ii) inverting, 

(iii) multiplying, 

(iv) exponentiation, 

(v) equality testing. 

Proof. Part (i) is trivial, since 1 = [Z(G)]. For (ii) we have [L] -1 = [L], and the 
algorithm is to replace each a by 7f. For parts (iii), (iv), and (v) use Algorithms 
115.21 and 115.31 below and Theorem II. 21 respectively. □ 

15. Multiplying and exponentiating invertible G-lattices 

In this section we give algorithms for multiplying and exponentiating invertible 
G-lattices. We shall always assume that all G-lattices in inputs and outputs of 
algorithms are specified via an LLL-reduced basis. As we saw in the proof of 
Theorem 114.51 this prevents coefficient blow-up. 

Algorithm 15.1. Given invertible G-lattices L and M equipped with LLL-reduced 
bases, the algorithm outputs L<8 >z(g> Af with an LLL-reduced basis and an nxnxn 
array of integers to describe the multiplication map 

L x ^ L G^^g) A /1 

(i) Realize L as L^j w ^ as in Lemma 111.51 using 7 = e2, and likewise realize 
M as L {JiV) . 

(ii) Compute IJ C Q(G) and an LLL-reduced basis for the G-lattice 
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(iii) Output A ®z(G) M = L^j jWV ) and the multiplication map 

A x M —> A (8 >z(g> Af 

coming from multiplication / x J —y IJ in the ring Q(G). 

An alternative (probably less efficient) option is to directly use the definition of 
tensor product, i.e., compute A <8>z(G) AA as 

(A ®z M)/ (^2 ^{crbi ® 6' - 6, <g> ab'j)) 


where 

A ®z M = Z(6i ® 6j). 

With either choice, Algorithm [THU runs in polynomial time. Using ideals works well 
for computing products and low powers (cf. Algorithm 119. If ' vii) below). However, 
computing high powers of ideals cannot be done in polynomial time, but computing 
high tensor powers of G-lattices is possible. Likewise, the map A —y A® r , d i —> d® r 
cannot be written down for large r, but one can compute the composition 

L —► L® r —>• L®7mA® r 


(see Algorithm 115.21) . and thanks to Proposition 14.31 this suffices for our purposes. 
Applying Algorithm 115.11 gives the following polynomial-time algorithm. 

Algorithm 15.2. Given G and u as usual, invertible G-lattices L and L' equipped 
with LLL-reduced bases, a positive integer m, and elements d G L/mL and d' G 
L' / mL', the algorithm computes L ®z(G> L' and the element 

d <8) d! G (L ® L')/m(L ® A'). 

(i) Apply Algorithm 115.II to compute L <8 >z(g) 

(ii) Lift d to L and d! to A', and then apply the composition 

A x iJ —y A ®z(G) t (A ® L')/m(L ® A / ). 

For all G, u, and to G Z >0 , by the proof of Theorem 114.51 there is a bound on 
the runtime of the previous algorithm that holds uniformly for all A, A', d, and d ', 
and this bound is polynomial in the length of the data specifying G, u. and to. 

Applying basis reduction, and iterating Algorithm 115.21 using an addition chain 
for r, gives the following polynomial-time algorithm. It replaces the polynomial 
chains in §7.4 of the Gentry-Szydlo paper [3j. 

Algorithm 15.3. Given G, u, an invertible G-lattice A, positive integers to and 
r, and d G L/mL, the algorithm computes A® r and G L® r /mL® r . 

Note that it is log(r) and not r that enters in the runtime. This means that very 
high powers of lattices can be computed without coefficient blow-up, thanks to the 
basis reduction that takes place in Algorithm 115. If ii). The fact that this is possible 
was one of the crucial ideas of Gentry and Szydlo. 
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16. The extended tensor algebra A 

The extended tensor algebra A is a single algebraic structure that comprises all 
rings and lattices that our main algorithm needs, including their inner products. 
Suppose L is an invertible G-lattice. Letting L®° = Z(G) and letting 

L® m = L ®z{G) ■ ‘ ■ ®z<G) L (with m L' s) 

and 

A®( = A® = L <g )z(G) ■ ■ ■ 8>z(g> L 

for all to £ Z>o, define the extended tensor algebra 

A=0L 8i = ...© A ® 3 © A ® 2 © I © Z (G) © A © L® 2 © L® 3 © ... 

iez 

(“extended” because we extend the usual notion to include negative exponents 
L®(- m >). Each A ® i is an invertible G-lattice, and represents [.A]*. For simplicity, 
we denote A ® l by A\ For all j 6 Z we have L 1 = L J = L~L Note that computing 
the G-lattice A -1 = A is trivial; just compose the G-action map G —> GL(n, Z) with 
the map G —>• G, <r i—>• ct. The ring structure on A is defined as the ring structure 
on the tensor algebra, supplemented with the lifted inner product • of Definition 
19.21 Let Aq = A ©z Q. 

Proposition 16 . 1 . (i) The extended tensor algebra A is a commutative ring 

containing Z(G) as a subring; 

(ii) for all j £ Z, the action of G on L° becomes multiplication in A; 

(iii) A has an involution x <—> x extending both the involution of Z(G) and the 
map L —> L; 

(iv) if j € Z, then the lifted inner product ■ : U x Id —>• Z(G) becomes multiplica¬ 
tion in A, with Li = L J ; 

(v) if j £ Z, then for all x,y £ id we have (x,y) = t(xy ); 

(vi) if j £ Z and e £ L - 5 is short, then e = e _1 m T - -'; 

(vii) i /7 is as in Lemma [11.51 then 7 £ Aq, one /ias Lq = Q(G) 7 * for all i £ Z, 
and Aq may be identified with the Laurent polynomial ring Q(G)[ 7 , 7 -1 ]. 

(viii) if e £ L is short, then A = Z(G)[e, e -1 ], where the right side is the subring of 
A generated by Z (G), e, and e~ , which is a Laurent polynomial ring. 

Proof. The proof is straightforward. It is best to begin with (vii). □ 

All computations in A and in A/toA = ® igZ L’/mL' with m £ Z>o that oc¬ 
cur in our algorithms are done with homogeneous elements only, where the set of 
homogeneous elements of A is [J ieZ L 1 . 

If A is a commutative ring, let y{A) denote the subgroup of A* consisting of the 
roots of unity, i.e., the elements of finite order. The following result will allow us 
to construct a polynomial-time algorithm to find fc-th roots of short vectors, when 
they exist. 

Proposition 16 . 2 . Suppose L is an invertible G-lattice, r £ Z>o, and v is a short 
vector in the G-lattice L r . Let 

A = A/(i/-l). 

Identifying ® • “q 1 L l C A with its image in A, we can view A = ®(_ 0 L l as a 
TLfrTj-graded ring. Then: 
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(i) G c fi(A) c U-“o 

(ii) {e G L : e • e = 1} = /x(A) n L, 

(iii) |/it(A)| is divisible by 2 n and divides 2 nr, 

(iv) the degree map p(A) —> 'L/rTL that takes e G /i(A) to j such that e € L 3 is 
surjective if and only if fi(A) n L 0, and 

(v) there exists e £ L for which e ■ e = 1 if and only if ffyi(A) = 2 nr. 


Proof. Since the ideal 

(77 - 1 ) = ( v- 1 - 1 ) = (1 - v) = (v - 1 ), 

the map a >—>■ a induces an involution on A. 

Next we show that the natural map 

r—1 

(J) L z -a- A/(v - 1) = A 

i=0 

is bijective. For surjectivity, by Proposition IlG.ll vil we have vL 3 = L 3+r for 
all j G Z, and thus L 3+r and L 3 have the same image under the natural map 
A — > A/(i/ — 1) = A. For injectivity, suppose 


j 

0^a = Oj G A 

i=h 

with h < j, with all G L l , and with ah ^ 0 and aj ^ 0. Then 

j+r 

(v - l)o = 

i=h 


with bi G L l where bh = —ah ^ 0 and bj +r = vaj ^ 0, and therefore 




r—1 


l) a ^ 

i =0 


Hence we have 


r—1 

{y - 1)A H V — {0}. 
2—0 


The injectivity now follows. 

Recall that d* is the set of C-algebra homomorphisms from C (G) to C. Letting 
Aq = A <g>z Q, we have 


Aq — Aq/ (v — 1)Aq and Aq — (J) Lq. 

iez 

Since L is invertible, by Lemma 111.51 there exists 7 G Lq such that 

Lq = Q(G) • 7 

with z = 77 G Q (G)* and ip(z) G K>o for all i/igl 1 . By Proposition 116. ll viL we 
have 7 G Lq, and 

L>q = Q(G)-y 

for all j G Z, and 

AQ = ®i« = Q(G)[ 7 ,7l. 
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Thus, there exists <5 £ Q(G)* such that v = S"/ r . The set of ring homomorphisms 
from A to C can be identified with the set of ring homomorphisms from Aq to C, 
which is 

{ring homomorphisms p : Aq — > C : p{y) = 1}. 

The latter set can be identified with 


via the map 
and its inverse 

and has size nr = 


{(VhC) : e ^,C G C*= 1} 

V ^ Mq<g> 5 ^(7)) 

i i 

. Since 


i = vv — (Sj r )(Sj r ) = S5z r 


we have 

mW>^y = i = mmm r , 

so ip(z) r = (CC) r - Since £ R>o, we have ip(z) = Since j = z 7 -1 , we now 
have 

<p(i) = ^)C _1 = C = ¥>(7)- 

By Lemma m i) we have ip(a) = ip(a) for all a £ Q(G). Since Aq is generated 
as a ring by Q(G) and 7, it follows that p(a) = p{a) for all a £ Aq and all ring 
homomorphisms p : Aq — > C. 

Applying Lemma 17711 iil to the commutative Q-algebra Aq shows that 

P|ker<p = 0 . 

v 

Let 

E = {e £ A : ee = 1}, 

a subgroup of A*. 

If e £ n(A), then p{e) is a root of unity in C for all ring homomorphisms 
p : A —} C, so 

1 = p(e)p(e) = p(e)p(e) = p(ee). 

Since H kert/j = 0, we have ee = 1. Thus, /r(A) C E. 

Conversely, suppose e £ E. Write e = Xa=o £* with £* £ L l , so e = ^ 

with Si £ L~ l = L r ~ l in A. We have 

r—1 

1 = ee = y ^EjEj, 
i=0 

the degree 0 piece of ee. Applying the map t of Definition 16.21 and using {9Z3 we 
have 1 = Xa=o It follows that there exists j such that (. Sj,£j) = 1 , and 

£j = 0 if * ^ j. Thus, 

r— 1 

EC |J {e £ Z7 : (e, e) = 1 }, 

i=0 

giving (i). By Proposition I12.3f iiil and Example 1 12.2 1 we have E (7 Z(G) = G, so 
At(Z(G)) = G. 
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The degree map from E to Z/VZ that takes e G E to j such that e G L- 7 
is a group homomorphism with kernel E n Z(G) = G. Therefore, ffE divides 
#G#(Z/rZ) = 2nr. Thus, E C /z(A) C E, so E = /r(A) and we have (ii) and (iii). 
The degree map is surjective if and only if ffp(A) = 2 nr, and if and only if 1 is in 
the image, i.e., if and only if y{A) fl L ^ 0. This gives (iv). Part (v) now follows 
from (ii). □ 

Remark 16.3. In the proof of Proposition 116.21 we showed that /i(Z(G)) = G. 

17. Short vectors 

Recall that G is a finite abelian group of order 2 n equipped with an element u 
of order 2. The main result of this section is Algorithm 117.41 

Definition 17.1. The exponent of a finite group H is the least positive integer k 
such that <j k = 1 for all a £ H. 

The exponent of a finite group H divides ffH and has the same prime factors 
as #H. 

Notation 17.2. Let k denote the exponent of G. 

By Theorem 112.41 the G-isomorphisms Z(G) © L for a G-lattice L are in one- 
to-one correspondence with the short vectors of L, and if a short e € L exists, then 
the short vectors of L are exactly the 2 n vectors {<re : a G G}. With k the exponent 
of G, we have 

(ere) = a e = e 

in A. Hence for invertible L, all short vectors in L have the same Ar-th power e k G A. 
At least philosophically, it is easier to find things that are uniquely determined. We 
look for e k first, and then recover e from it. 

The n of (4j is an odd prime, so the group exponent k = 2 n, and Z(G) embeds 
in Q(( n ) x Q, where ( n G C* is a primitive n-th root of unity. Since the latter is 
a product of only two number fields, the number of zeros of X 2n — v 2n is at most 
(2n) 2 , and the Gentry-Szydlo method for finding v from v 2n is sufficiently efficient. 
If one wants to generalize [3] to the case where n is not prime, then the smallest t 
such that Z(G) embeds in T\ x ... x F t with number fields Fi can be as large as n. 
Given v, the number of zeros of X k — v could be as large as k*. Finding e such that 
v = e k then requires a more efficient algorithm, which we attain with Algorithm 
117.41 below. 

An order is a commutative ring A whose additive group is isomorphic to Z” for 
some n G Z>o- We specify an order by saying how to multiply any two vectors in a 
given basis. In im we prove the following result, and give the associated algorithm. 

Proposition 17.3. There is a deterministic polynomial-time algorithm that, given 
an order A, determines a set of generators for the group p(A) of roots of unity in 
A*. 

Algorithm 17.4. Given G of exponent k, u, a fractional Z(G)-ideal I, an element 
w G Q(G)* such that II = Z(G) • w and if(w) G R>o for all if G Hi, a short vector 
v in the G-lattice L^k w k\, and the order A = ©^Tq 1 P with multiplication 

P x P I l+ j , (x, y) i->- xy if i + j < k 
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and 

P X P -A- (x, y) i-A xy/v if * + j > k, 

the algorithm determines whether there exists a £ L{i,w) such that v = a k in 
L(jfcand a • a = 1, and if so, finds one. 

(i) Apply Proposition 117.31 to compute generators for p{A). 

(ii) Apply the degree map y(A) —>• Z/kZ from Proposition I16.21 ivl to the 
generators, and check whether the images generate Z/kZ. If they do not, 
output “no e exists”; if they do, compute an element a £ p{A) whose 
image under the degree map is 1. 

(iii) Check whether v = a k . If not, output “no a exists”. If so, output a. 

Proposition 17.5. Algorithm \l 7. J\ produces correct output and runs in polynomial 
time. 

Proof. We apply Proposition [T6T2] with r = k. With L = L^j w p our order A can be 
identified with the ring A/(u — 1) of that proposition. Suppose Step (ii) produces 
a £ n(A) of degree 1. Then 

cx £ n{A) n = {£ £ ^ : e ■ e = 1} 

by Proposition 1 16. 2f ii). By Proposition 112.31 iii). this set is the set of short vectors 
in L(j w ). By Theorem 112. 4f iv). if a short e £ L^ I w ^ exists, then the short vectors 
in are exactly the 2 n vectors {ae : <r £ G}, which all have the same £;-th 

power since k is the exponent of G. By this and Proposition 116. 2l ivl. if any step 
fails then the desired a does not exist. The algorithm runs in polynomial time since 

Pli(A) = 2 nk < (2n) 2 

by Proposition 1 16. 21 y). □ 

18. Finding auxiliary prime powers 

In this section we present an algorithm to find auxiliary prime powers i and 
to. To bound the runtime, we use Heath-Brown’s version of Linnik’s theorem in 
analytic number theory. 

Recall that G is a finite abelian group equipped with an element u of order 2, 
and k is the exponent of G. 

Notation 18.1. For m £ Z>o let k(m) denote the exponent of the unit group 

(Z(G)/(m))*. 

Lemma 18.2. Suppose p is a prime number and j £ Z>o- Then: 

(i) (Z/fdZ)* c (Z (G)/&))*; 

(ii) if p is odd, then the exponent of (Z/pZ)* is {p — l)?* 7 ' -1 ; 

(iii) if p = 1 mod k, then k(jp) = (p — 1 )p J_1 . 

Proof. Parts (i) and (ii) are easy. For (iii), we proceed by induction on j. If p = 1 
mod k , then p is odd. We first take j = 1. The map x <—> x p is a ring endomorphism 
of Z(G)/(p) and is the identity on G, since the exponent k divides p — 1. Since G 
generates the ring, the map is the identity and therefore x p = x for all x £ Z(G)/ (p) 
and x p_1 = 1 for all x £ (Z (G)/(p))*. 

Now suppose j > 1. Suppose x £ Z(G) maps to a unit in Z (G)/(p>). By the 
induction hypothesis, 

P p -P p:> =1 modp- 7-1 . 
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Thus, = 1 +pi~ 1 v for some v £ Z(G). Since (j — 1 )p > j we have 

x (p-i)p 3 — + p)~ 1 v y = 1 + '' • + P^~^ p v p = 1 mod pf. 

Thus, k{pi) divides (p — 1 )p J_1 for all j £ Z>o. Part (iii) now follows from (i) and 

(ii). □ 

Theorem 18.3 (Heath-Brown, Theorem 6 of [S]). There is an effective constant 
c > 0 such that if a, t £ Z>o and gcd (a,t) = 1, then the smallest prime p such that 
p = a mod t is at most ct 5 5 . 

Algorithm 18.4. Given positive integers n and k with k even, the algorithm 
produces prime powers t = p r and m = q s with £, m > 2 n / 2 +1 such that p = q = 1 
mod k and gcd(p(£), p(m)) = k , where ip is Euler’s phi function. 

(i) Try p = k +1, 2k + 1, 3k +1,... until the least prime p = 1 mod k is found. 

(ii) Find the smallest r £ Z>o such that p r > 2 ra / 2 + 1. 

(iii) Try q = p + k,p + 2 k, ... until the least prime q = 1 mod k such that 
gcd((p — l)p, q — 1) = k is found. 

(iv) Find the smallest s £ Z>o such that q s > 2 n / 2 + 1. 

(v) Let £ = p r and m = q s . 

Proposition 18.5. Algorithm \18.4\ runs in time (n + k) 0 ^. 

Proof. Algorithm ll8.4l takes as input n, k £ Z>o with k even, and computes positive 
integers r and s and primes p and q such that: 

• p = q = 1 mod k, 

• gcd((p - iy~\ (q - 1 )<? s_1 ) = k, 

• p r > 2 n / 2 + 1, and 

• q s > 2”/ 2 + 1. 

We next show that Algorithm 118.41 terminates, with correct output, in the 
claimed time. By Theorem 118.31 above, the prime p found by Algorithm 118.41 sat¬ 
isfies p < ck 5 - 5 with an effective constant c > 0. Primality testing can be done by 
trial division. If p — 1 = k\k 2 with every prime divisor of k\ also dividing k and 
with gcd(& 2 , k) = 1, then to have 

gcd((p- l)p,q- 1) = k 

it suffices to have 

q = 2 mod p and q = 1 + k mod k\ and q = 2 mod & 2 . 

This gives a congruence 

q = a mod p(p — 1) 

for some a with gcd (a,p(p— 1)) = 1. Theorem 118.31 implies that Algorithm 118.41 
produces a prime q with the desired properties and satisfying 

q < c(p 2 ) 5 ' 5 < c(cfc 5 ' 5 ) n = c 12 fc 60 ' 5 . 

The upper bounds onp and q imply that Algorithm ic. 4l runs in time [n+k) 0 ^. □ 

Remark 18.6. In practice, Algorithm ic. 4l is much faster than implied by the proof 
of Proposition 118.51 Theorem 118.31 is unnecessarily pessimistic, and in practice one 
does not need to find a prime q that is congruent to 2 mod pk 2 and to 1+k mod k\. 
In work in progress, we get better bounds for the runtime of our main algorithm, 
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and avoid using the theorem of Heath-Brown or Algorithm 118.41 by generalizing 
our theory to the setting of “CM orders”. 

Algorithm 118.41 immediately yields the following algorithm. 

Algorithm 18.7. Given G and u, the algorithm produces prime powers £ and m 
such that 

£,m> 2™/ 2 + 1 and gcd (k(£), k(m)) = k, 
where k is the exponent of G, and produces the values of k(£) and k(m). 

(i) Compute n and k. 

(ii) Run Algorithm 118.41 to compute prime powers £ = p r and m = q s with 

£,m> 2"/ 2 + l 

such that 

p = q = 1 mod k and gcd (tp(£),tp(m)) = k. 

(iii) Compute k(£) = (p — 1 )p r ~ 1 and k(m) = (q — l)g s_1 . 

By Lemma [18.2f iiih Algorithm 118.71 produces the desired output. It follows from 
Proposition 118.51 that Algorithm 1 18. 71 runs in polynomial time (note that the input 
in Algorithm 118.71 includes the group law on G). 

Remark 18.8. Our prime powers £ and m play the roles that in the Gentry-Szydlo 
paper [3] were played by auxiliary prime numbers 

p pl > 2 (n+l)/2 

such that 

gcd(P-l,P' — 1) =2 n. 

Our k{£) and k(m) replace their P —1 and P' — 1. While the Gentry-Szydlo primes 
P and P' are found with at best a probabilistic algorithm, we can find £ and m in 
polynomial time with a deterministic algorithm. (Further, the ring elements they 
work with were required to not be zero divisors modulo P, P' and other small 
auxiliary primes; we require no analogous condition on £ and m, since by Definition 
19.41 when L is invertible then for all m, the (Z/mZ)(G)-module L/mL is free of 
rank 1.) 

The next result will provide the proof of correctness for a key step in our main 
algorithm. 

Lemma 18.9. Suppose e is a short vector in an invertible G-lattice L, suppose 
£,m £ Z> 3 , and suppose ee m £ L is such that e^ m + £mL generates L/£mL as a 
(Z/ £mJj){G)-module. Then e k ^ m ^ is the unique short vector in the coset 



and there is a unique s £ ((Z/£Z)(G))* such that 

e fc(m) =se^ m) mod £L k{m \ 

If further b £ Z>o and bk(m) = k mod k(£), then e k is the unique shoH vector in 
s b e k m + £L k . 
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Proof. Since e is short, we have Z(G)e = L. Thus for all r G Z>o, the coset e + rL 
generates L/rL as a Z(G)/(r)-module. We also have that ei m + mL generates 
L/mL as a Z(G)/(m)-module, and ee m +£L generates L/£L as a Z(G)/(£)-module. 
Thus, there exist y m € (Z(G)/(m))* and ye € (Z (G)/{£))* such that 


e^m = 2 /m.e mod mL and ee m = yee mod £L. 

It follows that 

e^ m) = e fe(m) mod mL k ^ and = e kW mod £L k ^. 

We have 

(Z /£Z){G)e = L/£L = {Z/£Z){G)e tm . 

Thus 

(Z/£Z)(G) • e fe(m) = L fc (™)/£L fc ( m ) = (Z/£Z)(G) ■ e^\ 


SO 

(18.1) e fe(m) = se^ m) mod M fc(m) 

for a unique s G ((Z/£Z)(G))*. We have e • e = 1, so 

e G A* and e + M G (A/M)*. 


By (118.ip we have 

(e + £A) k< ' rn ^ = s{e lm + M) fc M 
in A/M = Q) ieZ L l /£L l . It follows that 

+ M G (A/M)*. 


If afc(t') + bk(m) = k with a G Z, then 


fe = ( e fe OT) a (,A( m )'i b 


)" = (4m) a ( se e^ ) ) b = s&e L, mod M, 


so s b e k m +£L k contains the short vector e fe of L k . In both cases, uniqueness follows 
from Proposition 14. II □ 


19. The main algorithm 

Algorithm 119.11 below is the algorithm promised in Theorem 11.11 That it is cor¬ 
rect and runs in polynomial time follows from the results above; see the discussion 
after the algorithm. As before, k is the exponent of the group G and k(j) is the 
exponent of (. Z(G)/{j ))* if j G Z >0 . 

Algorithm 19.1. Given G, u, and a G-lattice L , the algorithm determines whether 
there exists a G-isomorphism Z(G) —» L, and if so, computes one. 

(i) Apply Algorithm 110.31 to check whether L is invertible. If it is not, termi¬ 
nate with “no”. 

(ii) Apply Algorithm 118.71 to produce prime powers £ and m as well as k(£) 
and k{m). 

(iii) Use Proposition IIP. II to compute ee m and e 2 - 

(iv) Use Algorithm 115.31 to compute the pair 

(£ tw ,efi m) +W t(m) ). 

Use Algorithm 14.21 to decide whether the coset 
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contains a short vector v m £ L k ^ m \ and if so, compute it. Terminate with 
“no” if none exists. 

(v) Compute s £ (Z/£Z)(G) such that 

^ = se^ ro) +£T fc(m) 

in L fc ( m )/£T fe ( ro !: 4 

(vi) Use the extended Euclidean algorithm to find b £ Z>o such that 

bk(m) = k mod fc(£). 

(vii) Compute 

I = {x £ Q(G) : xe 2 G L} 

and compute P for i = 2,..., k. 

(viii) Compute s b £ (Z/£Z )(G) and 

s\e em /e 2 ) k + il k £ I k /tl k . 

Use Algorithm 14.21 to decide whether the coset 

s b (e em /e 2 ) k +U k 

contains a short vector v for the lattice L^k w k^ where 
w = (e 2 • ei) -1 , 

and if so, compute it. Terminate with “no” if none exists. 

(ix) Construct the order A = ©^Tq 1 1 with multiplication 

P x P —> P + \ ( x , y) i-A xy if i + j < k 

and 

P X P —> (x, y ) i-A xy/v if i + j > k. 

Apply Algorithm 117.41 to find a £ T(/. w ) such that v = a k and a - a = 1 
(or to prove there is no G-isomorphism). Let e = ae 2 £ L , and let the 
map Z(G) © L send x to xe. 

Proposition 19.2. Algorithm \19.1\ is a deterministic polynomial-time algorithm 
that, given a finite abelian group G, an element u £ G of order 2, and a G-lattice 
L, outputs a G-isomorphism Z (G) —> L or a proof that none exists. 

Proof. By Theorem 112. 4f in). the G-lattice L is G-isomorphic to Z(G) if and only if 
L is invertible and has a short vector. Algorithm [THS] checks whether L is invertible. 
If it is, we look for an e £ L such that ee = 1. 

Algorithm 118.71 produces prime powers £, to > 2 n / 2 + 1 such that 

gcd(fc(£), k(m)) = k. 

The algorithm in Proposition IIP, ll produces ec m , which then serves as both e m and 
ee. Algorithm 14.21 finds a short vector v m (if it exists) in the coset 

ee m +mL k( ~ m '> £ L k ^/mL^ m \ 

If e £ L is short, then v rn = e k ( m ^ by Lemma Tl 8. 91 

As in Lemma Til. 51 the set I is an invertible Z(G)-ideal, and the map 
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is an isomorphism of G-lattices, so L = Ie 2 . We next show that P for i = 2,..., k 
can be computed in polynomial time. Let 

q=(L: Z(G)e 2 ). 

Then L = Z(G)e 2 +Z(G)e„ so I = Z(G) + Z(G )/3 where /3 G Q (G) and /3 = e 9 /e 2 € 
Aq. We claim that 

P = Z(G} + Z(G)/T 
for all i G Z>o. Namely, we have 

L D Z(G)e 2 D gL, 

so L* D Z(G)e 2 D g*iA Since L* = /‘e^, we have 

P D Z(G) D gVL 

Similarly, letting r = (L : Z (G)e q ) we have 

r D Z(G)/3 i D PP. 

Since q and r are coprime by Lemma 1 10.2 f ib we have 

P D Z(G) + Z(G)/3 i D q l p + = r, 

and the desired equality follows. Now /3, /3 2 ,..., /3 fc are easily computable in poly¬ 
nomial time, since k < 2?r. 

By Lemma ri8.9l if a G L^k tW k^ is short then ^ = a fe . Algorithm 117.41 then finds 
a short vector a G L^k^k), or proves that none exists. Then e = ae 2 is a short 
vector in L , and the map x i-A a:e gives the desired G-isomorphism from Z(G) to 
L. □ 

Remark 19.3. There is a version of the algorithm in which checking invertibility 
in step (i) is skipped. In this case, the algorithm may misbehave at other points, 
indicating that L is not invertible and thus not G-isomorphic to Z(G) by Lemma 
19.51 At the end one would check whether (e, e) = 1 and (e, ae) = 0 for all a p 1, u. 
If so, then {(rejo-gs is an orthonormal basis for L, and x ha xe gives the desired 
isomorphism; if not, no such isomorphism exists. 

Thanks to Corollarv ll4.3l we can convert Algorithm 1 19. II to an algorithm to test 
whether two G-lattices are G-isomorphic (and produce an isomorphism). 

Algorithm 19.4. Given G, u, and two invertible G-lattices L and M, the algorithm 
determines whether there is a G-isomorphism M L , and if so, computes one. 

(i) Compute L <8>z<g> AL 

(ii) Apply Algorithm 1 19.1 1 to find a G-isomorphism 

Z(G) L ® Z(G> M, 

or a proof that none exists. In the latter case, terminate with “no”. 

(iii) Using this map and the map 

M ®z(G) M —> Z(G), y®x^-y-x, 

output the composition of the (natural) maps 
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